Consejos Básicos de Seguridad en NAS: RAID no es Backup

Carpe Diem

Uno de los principales motivos de comprar un NAS es que tienen varias bahías para discos, lo que permite crear los conocidos “arrays” de discos, o RAIDs, que pueden venir en múltiples formas y colores, o mejor dicho, tipos (RAID1, 5, 10, etc) y se caracterizan por distribuir nuestros datos entre múltiples discos, y de esta forma ofrecer redundancia de datos. A menudo, esto general la falsa sensación de seguridad de que “mis datos están protegidos”, cuando en realidad, no es así. Un RAID nunca ha sido, es, ni será una alternativa o sustituto a un backup (copia de seguridad), y me gustaría explicaros los motivos.

¿Qué es RAID?

RAID es el acrónimo de “redundant array of independent disks”, y en esencia es una forma de distribución de datos a través de múltiples discos, lo que proporciona mayor rendimiento de lectura/escritura (dependiendo del tipo de RAID) y redundancia ante el fallo de uno o más discos.

Es importante especificar que el objetivo de RAID no es la protección de los datos (como explicaré a continuación), si no evitar los conocidos “downtimes”. En caso de fallo de disco, RAID permite que todo el sistema siga funcionando hasta que el usuario pueda sustituir el disco dañado, momento en el cual el array se reconstruirá automáticamente hasta volver a ser estable.

Por lo tanto: RAID nos proporciona REDUNDANCIA.

¿Qué NO es RAID?

RAID NO ES BACKUP

RAID no es una forma de protección de datos porque solamente protege contra una única forma de fallo: Fallo de uno (o más, dependiendo del tipo de RAID) de los discos que lo conforman. Ya está.

RAID no protege contra el resto de incidencias que pueden destruir tus datos, entre las que se encuentran (pero no se limitan a):

  • Error humano (borrado accidental de archivos)
  • Error / configuración errónea de software (por ejemplo un bug en Plex que borre toda la carpeta de películas)
  • Ransomware / Malware
  • Apagón que desconecte el NAS de forma brusca y produzca que se corrompa la tabla de particiones del array
  • Fallo de hardware / subida de tensión que fría componentes/discos
  • Ladrones que entren en tu casa y roben los discos // El NAS
  • Un ataque nuclear estratégico, que en caso de ocurrir, destruirá tu array, tu NAS, tu casa, y probablemente varios kilómetros a la redonda.

Debes pensar en RAID como pensarías en archivos duplicados en tu ordenador. Ni más, ni menos.

Imagina que tienes una carpeta “fotos” con todas las fotos de tu vida dentro (por poner un ejemplo), y que esa carpeta está en C:\fotos. Ahora imagina que simplemente copias esa carpeta a C:\fotos2. ¿Considerarías eso una copia de seguridad? No, ¿verdad?, porque los archivos están dentro del mismo disco. Es peligroso, porque si te falla el disco, lo pierdes todo.

Ahora imagina que copias la carpeta C:\fotos en otro disco dentro del mismo ordenador, a D:\fotos. ¿Considerarías eso como algo seguro? ¿Qué pasa si te entra un ransomware y te encripta todos los discos? ¿Realmente confiarías todas las fotos de tu vida a una copia de una carpeta dentro del mismo ordenador? No, ¿verdad? Lo mínimo que exigirías sería copiar las fotos a un disco duro externo por USB. ¿A que sí?

Pues con RAID es lo mismo. Para proteger tus datos necesitas que estos estén FUERA DEL DISPOSITIVO. Si no es así, tienes que asumir que no hay copia de seguridad, y tienes que estar mentalmente preparado para perder tus datos en cualquier momento. Es lo que hay, y va a ocurrir, antes o después.

No se trata de si serás afectado por un Ransomware o no, sino de CUANDO

Algunas preguntes frecuentes:

    “Yo uso RAID6/7 que tiene dos/tres discos de paridad, así que mi array puede tolerar el fallo de muchos discos. Sigo necesitando un Backup?

Sí. RAID NO ES BACKUP.

Escuchad al maestro. Sabe de lo que habla.

    “Uso una función de mi NAS llamada “instantáneas”. Sigo necesitando Backup”

Sí. Las instantáneas se guardan dentro del mismo NAS. No son backup. Además las instantáneas habitualmente utilizan software y sistemas específicos del fabricante, no universales.

   “Y si uso un disco dedicado en la bahía 4 para hacer copias de los datos que están en las otras bahías, ¿eso es un backup?”

No. Backup tiene que ser forzosamente fuera de la unidad. No es distinto a lo que comentábamos antes de duplicar la carpeta “fotos” en el disco D:

   “Entonces, ¿para qué quiero RAID, de qué me sirve?

RAID te permite no tener que recuperar de tus backups en caso de fallo de disco, lo cual es muy cómodo. Te pongo un ejemplo: Tienes tus NAS con Plex/ Emby/Jellyfin, Nextcloud, carpetas compartidas en SAMBA, etc. De repente te falla el disco 1, donde tienes instalado el sistema.

Sin RAID: El NAS dejará de arrancarte porque te ha fallado el disco, y el OS está instalado en él. Tienes que comprar un disco nuevo, esperar a que llegue, sacar el que ha fallado, instalar el nuevo, reiniciar el NAS y volver a configurar todo, reinstalar aplicaciones (básicamente como si acabaras de comprar el NAS). Cuando acabes, tienes que acceder a tus backups, y recuperar todos los archivos. Volver a configurar Plex, nextcloud, etc etc. Y durante todo este periodo, a todos los efectos no tienes NAS. Nada de plex, de pelis, carpetas compartidas, nada.

Con RAID: Tu NAS te notifica que el disco 1 ha fallado, y el RAID entra en estado degradado. Todo sigue funcionando igual. Compras el disco nuevo, cambias el disco que ha fallado por el nuevo, y el NAS automáticamente restaura el array a la normalidad. Durante todo el proceso, tu NAS ha seguido funcionando.

Para eso sirve RAID. Es cómodo de tener, y ofrece cierta protección, así que si tienes la opción de usarlo, adelante.

   “Entonces, ¿Si no me importa todo el tema del downtime, puedo prescindir de usar RAID, y usar solo Backup?”

ABSOLUTÁSTICAMENTE SÍ.

   “Si no puedo permitirme (por los motivos que sean) tener tanto RAID como Backup, y tengo que elegir lo uno o lo otro, ¿Que elijo?

Backup. Si quieres proteger tus datos, Backup. Siempre Backup. Es mejor tener protección de datos sin redundancia, que redundancia sin protección de datos.

Como planificar backups. Estrategia 3-2-1.

Todos tenemos datos que queremos proteger, y otros que… bueno.

Todos y cada uno de nuestros datos son valiosos… mas o menos

La solución actualmente aceptada como “ideal” para los backups es la estrategia 3-2-1: AL MENOS 3 copias de los datos, en AL MENOS dos unidades distintas, con AL MENOS una copia off-site (en otra localización geográfica).

Esto es así para evitar por ejemplo, desastres naturales, como el incendio de tu domicilio, o un robo, situaciones en las cuales perderás todos los backups que estén en el mismo lugar.

No obstante, a menudo no es posible/conveniente tener una política 3-2-1, sobre todo cuando es mucha la cantidad de datos a proteger. En tal caso, el mínimo absoluto imprescindible podría ser 2-2-0, aunque no es lo recomendable.

También es esencial probar a restaurar tus backups una vez hechos. No sería la primera vez que alguien hace backups de sus datos durante años, solo para descubrir, al intentar restaurarlos tras una pérdida masiva, que hizo algo mal desde el principio, y sus datos no son recuperables. Un backup solo es tan bueno como su capacidad de ser restaurado.

Very Very Importanter!

Primer paso: Determinar tus necesidades de espacio

Es más fácil hacer backup de 3TB que de 40TB. Deberías separar tus datos en tres tipos:

  • Datos vitales que quieres proteger (datos personales y fiscales, documentos, fotos, etc). Sobre este grupo deberías aplicar la política 3-2-1. Puedes conseguir cuentas gratuitas de hasta 15GB online (Google Drive, Mega, etc). ¡Asegúrate de encriptar tus backups si vas a subirlos online!
  • Datos no tan vitales que te gustaría proteger, pero por los que no estás dispuesto a pagar para almacenar online, y que si se perdieran, podrías continuar con tu vida (más o menos) bien. Puedes aplicar una política 2-2-0 sobre estos datos (ej, cópialos a un disco duro externo).
  • Datos que te importan un pimiento. No hagas backup de esto.

Pero ojo, debes tener claro qué te importa y qué no. Yo pensaba que mis 6TB -hoy en día ya casi 8- de multimedia no me importaban en absoluto porque podía descargarlas de nuevo si lo necesitaba, hasta que tuve un apagón y casi pierdo mis datos… y me imaginé el palo enorme que me daba volver a buscar y bajarlo todo. Desde entonces incluí mi biblioteca multimedia dentro de mis backups. Tienes el poder de elegir quien vive y quien muere. Úsalo sabiamente.

Segundo paso: Elegir donde realizarás tus copias de seguridad

  • Si el total de datos a respaldar es menor de 12TB, la forma más sencilla es comprar un disco duro externo de alta capacidad (12-14TB) y hacer los backups allí. Los discos Western Digital Elements o My Book son una solución popular, que cuando están de rebajas, pueden conseguirse por hasta 18€/TB. Simplemente conéctalo a tu NAS, y usa el software más te guste para hacer el backup. ¡¡Recuerda SIEMPRE desconectarlo tras acabar la copia, o de lo contrario, puede verse afectado en caso de Ransomware!!

Listo, ya tienes un backup 2-2-0 de tus datos. Si quieres una solución barata para tener 3-2-1, puedes comprar otro disco (llamemos disco B) y repetir el backup. Entonces te llevas ese disco B y lo guardas en casa de un familiar/amigo (recuerda encriptar solo por si acaso, no sea que alguien curiosee dentro de tu carpeta de “Otros”). Cuando quieras actualizar el backup, lo haces en el disco que tienes en casa (Disco A), te lo llevas a la casa de tu familiar/amigo y dejas allí el Disco A y te traes a casa el disco B y actualizas de nuevo el backup. De este modo tienes copias off-site de forma barata.

  • Si el total de datos a respaldar es mayor de 12TB, la cosa se complica. La única forma factible es adquirir otro NAS y crear un RAID o JBOD para usarlo como backup del NAS primario. Sí, ya lo sé.

Si quieres copias off-site, puedes dejar este NAS en casa de un familiar/amigo y hacer las copias de seguridad directamente a través de internet. Si un amigo tuyo también tiene un NAS, podéis acordar que cada uno de vosotros deje X cantidad de TB disponible para el otro en su unidad, de modo que tú haces backup en su NAS, y él hace backup del suyo en el tuyo (recuerda encriptar, lo de la carpeta “Otros”).

Siempre puedes simplemente pagar por almacenamiento en la nube (Backblaze, Amazon, etc) y hacer los backups off-site allí. Esto ya depende de cada uno, de sus necesidades, y su poder adquisitivo.

Y por supuesto, siempre puedes decidir no hacer backups. Y es una opción totalmente legítima, siempre que tengas claro que automáticamente pierdes el derecho a cabrearte y patalear cuando (no si, cuando) pierdas tus datos, ya que será 100% culpa tuya.

¿Qué software debería usar?

Esto es una cosa muy personal. Yo personalmente soy muy fan de todo lo que sea FOSS (Free Open Source Software), como por ejemplo Borg Backup, Duplicati o Restic. De todos modos, todas las marcas de NAS ofrecen su propia solución para hacer copias de seguridad (Por ejemplo en QNAP el software se llama Hybrid Station 3), así que alternativas tienes. Elije el que más te guste, y que te sea más fácil de utilizar (que normalmente suele ser el software incluido de serie en el NAS) . Si vas a encriptar, normalmente todos los programas de backup tienen esa opción incluida, así que es suele ser tan fácil como seleccionar esa opción.

Mi setup personal es:

NAS Primario: TS-673 con 5 discos de 10TB en RAID6 (unos 27TB de espacio total usable).

NAS de backup: Synology DS218J con dos discos de 10TB en JBOD.

Agrupo mis datos en dos tipos: Los datos esenciales, que suman menos de 15GB, y los datos menos esenciales, que suman actualmente 13TB. Los datos esenciales se guardan en el DS218J usando un contenedor con Borg Backup, y además se suben online usando un contenedor con rclone a una cuenta en Mega (ambas copias encriptadas).

Los datos menos esenciales se guardan en el DS218J usando Borg Backup, pero no tienen respaldo online (principalmente descargas, copias de seguridad de los múltiples dispositivos/ordenadores, y la biblioteca multimedia).

Espero que este telegraph haya sido de utilidad. Un saludo a todos. 🙂

 

Fuente del artículo: aquí
Mastodon
Mastodon

Zebra Crossing: an easy-to-use digital safety checklist

Note from mine (Daniel Alomar)

I will recommend to use andOTP (Android) or freeOTP  (iOS) as a OTP app manager instead Google Authenticator  and Authy. Both have telemetry. AndOTP is an opensource OTP app that contains no tracker, furthermore, it has PIN protection..

thinking Who this guide is for

  • You use the internet on a day-to-day basis – for work, social media, financial transactions, etc.
  • You feel you could be doing more to ensure your digital safety and privacy, but you’re not in immediate danger. (If you are, seek out an expert for a one-on-one consult.)
  • You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer/smartphone.

seedling How to use this guide

  • Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!
  • Everyone should follow the recommendations in levels one and two. They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.
  • Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.
  • The scenarios listed after are for higher-stakes situations — scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)
  • This guide is a living document – please feel free to submit a pull request or fork your own version of this guide on GitHub.

speaking_head This guide in other languages

clock3 Last updated

  • 20 January 2021

monocle_face Theory & science

dart Threat modeling

  • What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment/doxxing.
  • What kind of assets are you protecting? E.g. confidential documents, private photos.
  • We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.

link Weakest link

  • Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.

abcd Encryption levels

  1. No encryption: Any third party who intercepts the data can read it as-is.
  2. Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.
  3. End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.

jigsaw Metadata

  • Data about your data – e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.

 

sweat_drops Level 1 recommendations

white_check_mark Things to do now

Strengthen passwords

  • Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.
  • Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.
  • Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here) to store/autofill/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).
  • Use a non-common/obvious unlock code for your phone with at least 9 digits.

Double lock important accounts

Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.

  • Download an authenticator app like Authy or Duo Mobile. Apps are far more secure than SMS so use one if it’s available.
  • Turn on 2FA on your:
  • Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy and Duo Mobile.

Email

  • If you’re on a webmail service, check that you’re logging into it using an https:// URL. And if there isn’t one, find a new email provider.
  • After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions.

Encrypt your devices

  • Encrypt your computer hard drive:
  • Encrypt your phone storage:
    • iOS: Automatically encrypt.
    • Android: Recent versions automatically encrypt. Double check by going to Settings → Security → Encryption.
  • Secure your backups too!
  • N.B. Remember encryption is only fully effective when the device is off!

Other

?? Habits to cultivate

Email

  • Be on the lookout for phishing scams: where possible double check the From email address and the domains that outbound links go to.
  • Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.
  • You can upload a suspicious attachment to VirusTotal for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don’t submit sensitive information).

Update all the things

  • When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.
  • Update your apps (on mobile or computer) similarly.
  • Check occasionally for firmware updates for your router (and other Internet-connected devices).

Other

  • Change important passwords (e.g. email, computer login, password manager master) every year or two.
  • Wipe your devices properly before donating/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic.
  • Don’t charge your phone at public charging stations/ports – they may steal your data. Consider charging your portable battery instead.

+1 Great job! You’ve covered the basics. +1 Treat yourself to a cup of tea and a stretch.
+1 Now, ready for the next level?

 

sweat_dropssweat_drops Level 2 recommendations

white_check_mark Things to do now

Enhance your privacy

  • Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.
  • Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number/profile picture are public.
  • Install these protective web browsers add-ons on your computer (and make sure they’re on even during private/incognito mode):
  • Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.
    • iOS: Settings → Privacy → Location Services.
    • Android: Settings → Apps & notifications → App permissions.
  • On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.
  • If you use smart speakers, turn off its recording function:

Set up your home wifi router

  • Login to the administration and settings dashboard (check your router’s instructions but it’s often at http://192.168.0.1)
  • If the password to login to this dashboard is really simple, then update it.
  • Look through what devices are connected to the network right now (click around until you find the access control) and make sure you know what every device on the list is.
  • If you see these options, turn them off. Look for them under advanced settings or gateway functions:
    • UPnP (universal plug and play)
    • WPS (wi-fi protected setup)
    • Remote management

Other

?? Habits to cultivate

Enhance your privacy

  • Post less personal information online – especially information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.
  • If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:

  • Any one member can leak all of the data.
  • Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.
  • Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).
    • To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
      • Who can see my phone number to Nobody.
      • Who can find me by my number to My Contacts.

Other

  • When you download new mobile apps, double check to make sure it’s the right one — there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.
  • Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.
  • If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).
  • Put a sticker (or webcam cover) over your laptop’s front-facing camera.
  • Don’t use Google/Twitter/Facebook to sign up/login to other services – each service should have its own account.

tada Congratulations! You’re now reasonably
tada secure, which is more than most 🙂
tada Take the rest of the day off, and
tada come back tomorrow for Level 3.

sweat_dropssweat_dropssweat_drops Level 3 recommendations

white_check_mark To do

Lock up sensitive files

  • Identify files that you don’t want others to access (e.g. private photos, passport documents).
  • Use Cryptomator or Veracrypt to create an encrypted, password-protected vault for them.
  • Set them up on both your computer and your phone.
  • Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.

Upgrade your gear

  • Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you/your data. See recommendations from Wirecutter and Freedom of the Press.
  • Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example) for your laptop and phone.

Revisit old passwords

  • Store all of your online service passwords in a password manager. (If you have the right browser add-on/plugin installed, it will capture all the relevant details during a login process.)
  • Using your password manager’s analysis feature, see which accounts/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.

?? Habits to cultivate

  • Start using Signal, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe/secure/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)
  • When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).
  • Buy a harder-to-hack mobile phone moneybag. Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.

astonished Wow, you completed all three levels!
astonished Well done! Now quickly look below
astonished to see if any apply to you.

sweat_dropsexclamation Scenario-based recommendations

??‍? Hosting a public event on a video calling platform (e.g. Zoom)

  • Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.
  • Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom)
  • Create a plan of action for what you would do if a malicious troll gains access to your call.
  • Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio/video data and are mining your metadata to create consumer profiles.

flight_departure Crossing an international border

  • Turn off your devices because:
    • Storage/hard drives are only encrypted when they’re off, not when they’re just in sleep mode
    • This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.
  • Store less information on your devices – in case they’re seized, what you don’t have they can’t take.
  • Be mindful of what stickers you put on your devices – a border agent could mistake them for something suspicious.
  • Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer/relevant organization if you do not show up.
  • For extreme situations (some of these practices might raise suspicions and backfire):
    • Set up alternate photo albums, email addresses and social media accounts full of harmless content.
    • “Forget” half of your password: Password lock your device/account so that only a trusted friend has the second half of the password.
    • Log out of all important accounts (or simply leave your devices at home).
  • For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact and BoingBoing’s addendum about filing for attorney privileges at the US border.

sob Somebody took my phone/computer!

  • Wipe your phone remotely:
  • Log out of all important accounts from another device.
  • If this happened at an international border: Ask for a seizure receipt (available in some jurisdictions, e.g. Canada)
  • Get a new SIM card.
  • If you get it back, reset your phone/computer back to its factory settings. Then run some anti-virus and anti-spyware programs just in case.

space_invader I think my computer has been hacked!

  • Download an application that will notify you when data is being sent out from your computer. E.g. Little Snitch for Mac.
  • Run Activity Monitor on Mac or Process Explorer on Windows to look at what processes/applications are running. Google any suspicious names.
  • Login to important online accounts to see if there have been any suspicious logins – see this Motherboard guide for details.
  • Setup a spare smartphone using Haven as a room monitor to detect unwanted intrusions.

eggplant Sexting & non-consensual image sharing

✊? Attending a protest

In case of emergency

  • Draft a message to a trusted friend (not at protest) or legal hotline. Be ready to hit send if you are arrested/there is an emergency.
  • Write the phone number of the trusted friend/hotline on your arm with permanent marker as a backup.
  • Bring a spare battery for your phone.
  • If you use your fingerprint or face to unlock your phone, turn it off for now. In some places, officers can compel you to provide your fingerprint but not your passcode.
  • Immediately power off your phone if you think you’ll be arrested (disk encryption works better if it’s off).
  • Consider using a burner phone (instructions for the US) with a burner SIM card.

Store less share less

  • Keep as little sensitive personal information on your phone as possible. Delete any photos, chat logs and notes that can be used against you.
  • Use a messaging app that lets you create disappearing messages (e.g. Signal). Turn on the timer when discussing the protest.
  • Don’t take any photos or videos where people’s faces are clearly visible. Taking a photo of people’s backs is okay. (The one exception is if you’re filming a video of a conflict or arrest where documentation is key.)
  • Wear a face mask so you are not easily caught on camera.
  • When sharing photos/videos:

Minimize location tracking

  • Turn off location history:
    • iOS: Settings → Privacy → Location Services → System Services → Significant Locations.
    • Android: Settings → Google → Google Account → Data & personalization → Location History → Manage setting → Your account & all your devices → Use Location History Off.
    • Google Maps: Settings → Maps history → Web & App Activity.
  • Delete past location history:
    • iOS: Settings → Privacy → Location Services → System Services → Significant Locations → Clear History.
    • Android
    • Google Maps
  • Consider turning off all location services temporarily:
    • iPhone: Settings → Privacy → Location Services → Location Services Off.
    • Android: Security & location → Location → Use location Off.

Other

  • Double check your messaging apps’ privacy settings.
  • Turn off message previews in your notifications:
    • iOS: Settings → Notifications → Show Previews: When Unlocked.
    • Android: Settings → Apps & notifications → Notifications → On lock screen: Hide sensitive content.
  • Remember to make voice calls through end-to-end encrypted apps like Signal.

newspaper I’m a journalist working on a sensitive topic

Below are some basics that all journalists should consider. If you’re working on/in a particularly sensitive story/region (e.g. a whisteblower story), you and your team should get an tailored training session from an expert.

Be prepared

  • To remotely wipe the contents of your devices using a tracking app (e.g. Find My on iOS, Find My Device on Android, Prey, Lookout Security).
  • To be on the receiving end of an email phishing campaign (as journalist emails are usually more public than others).

Protect yourself

  • If you’re traveling, review the Crossing an international border scenario above.
  • If you’re covering a protest, review the Attending a protest scenario above and decide which parts apply to you (if you have special journalist rights/protections where you’re working).
  • Use a VPN if you’re browsing the internet at the office (website administrators can usually see that you’re coming from, say, the New York Times network)

Protect your sources

Protect your data

For more information

??‍♂️ Online harassment & doxxing

Harassment and doxxing can get very specific and complicated based on the attacker, your position, the overall cultural context, etc. While we have some general suggestions below, we implore you to think about whether your situation has escalated sufficiently and whether it’s time to find professional, one-on-one help.

Recruit a trusted friend

  • Do not force yourself into a corner by going at this alone!
    • Baseline: Ask a trusted friend to hold space for your situation and be your sounding board on analyzing how bad the threat is.
    • Preferred: Ask a trusted friend to help you investigate, record, report and block harassers — see Take Back The Tech’s Hey Friend! guide for more details about this. In some cases, it may be healthier to hand over your phone/social media/accounts over to them so that you’re not constantly triggered.
  • Alternately, reach out to online communities you’re an active member of and ask for help. See PEN America’s article on Deploying Your Supportive Cyber Communities.
  • If no one is available right now, Heartmob has a list of supportive organizations, some of which have 24/7 hotlines.

Monitor updates & collect receipts

  • Run keyword searches for your name, nickname, and address to see what’s out there. Also run an image search on your most-used profile pictures.
  • Monitor your name/username using these services: Talkwalker, Google Alerts and/or Mention moneybag.
  • Monitor and archive webpages that mention you using ChangeTower.
  • Start logging (date, time, description, screenshot) incidents in whatever program/app that’s easiest for you.
  • If future legal action is likely, pay Page Vault to capture a snapshot of a website and ask a lawyer to file an evidence preservation request with the relevant online platform.
  • Remember to take care of yourself as much as you can — eat, sleep, exercise. Call in friends to help share a meal, take a break or watch your cats for a few days.

Remove information about you off of the internet

  • Follow the instructions in the section/scenario that follows this one.

Ignore/reply/report/block your harassers

  • Together with your support person/friend and the log of receipts, decide on your course of action (these aren’t mutually exclusive):
    • Ignore: Sometimes harassers will walk away if they don’t get attention.
    • De-escalate: In some contexts, you can defuse the situation with some calm words before it gets worse.
    • Report: Report the harasser to the relevant online platform and/or your local law enforcement.
    • Mute on social media: Allows for peace of mind.
    • Block on social media: Maximizes peace of mind as the harasser won’t be able to see your posts. But they will notice and see it as a sign of escalation.
    • Go public: Can be dangerous, but sometimes shaming them publicly or rallying people to your support will make them go away.
  • For Twitter users:
    • Block previously-identified offenders using Block Together — ask around in your communities for shared block lists.
    • Block troll bots using Bot Sentinel.
    • Reduce dogpiling by blocking all followers of a certain profile using Red Block or Twitter Block Chain (only available on Chrome).
    • See what lists you’ve been added to by going to Profile → Lists → ··· → Lists you’re on. If you see a suspicious list or list owner, tap the three dots on the top right to report the list and leave the list by blocking the creator.
    • Filter unwanted mentions and replies using Block Party.

Notify other parties

  • If your physical safety is under threat, notify law enforcement or someone in your community with crisis experience for protection.
  • If the situation escalates, consider informing your employer, communities and family about what is going on, in case you might need their help at some point or so that they are not caught off-guard.

For more information

eyes Remove information about you off of the internet

If you’re about to become a public figure or are experiencing harassment, consider some of the suggestions below.

Clean up your social media presences

You might not need to delete your entire account, but consider deleting (or making private) posts that are old and/or reveal too much about where you live, where you go, and who you’re with.

  • Facebook:
    • See what your public profile looks and remove/restrict things as you see fit.
      • On desktop, go to your profile and click the eye button next to the right of the Edit Profile button.
      • On mobile, go to your proflie, tap the three dots on the right of Add Story and tap View As.
    • Make it so only friends can see your past posts.
      • On desktop, go to Settings → Privacy → Limit Past Posts.
      • On mobile, go to Settings & Privacy → Settings → Privacy Settings → Limit who can see past posts.
    • To bulk delete past posts, see this article in PC Magazine.
  • Whatsapp:
    • Swipe to delete individual conversations.
    • Delete chat content but keep the chat groups: Settings → Chats → Clear All Chats.
    • Delete all chats including the chat groups: Settings → Chats → Delete All Chats.
    • Turn off chat backups on WhatsApp (Settings → Chats → Chat backup) and delete your previous backups (instructions for iOS, Android).
  • Instagram:
    • Look through your profile and manually delete posts (tap the three dots above upper-right corner of a photo).
    • If need be, bulk delete using third-party tools.
  • Twitter:
  • Reddit and other forums:
    • There’s often no easy solution. Sometimes you have to delete your entire account, or in the case of Reddit, you have to use third-party scripts because deleting your account still leaves your posts up.

Remove your information from other people’s accounts or websites

Obscure your personal information

  • Use Burner or Hushed to set up burner phone numbers for calling/texting.
  • Get a PO box at a post office or use Traveling Mailbox (USA only) to hide your home address.
  • Delete old accounts to eliminate traces of personal information on the Internet. Use JustDeleteMe to accelerate this process.

broken_heart I think my partner is spying on me through my phone (stalkerware)

If you’re not sure and things between you and your partner aren’t that bad yet:

  • Keep a hidden, pen-and-paper log of suspicious incidents.
  • Make sure your partner is not getting information from previously shared accounts or because you left the location share on within Google Maps.
  • Review and redo the items in Levels 1-3 of this guide. Reset your passwords, check your privacy/data sharing permissions, and look up any apps you don’t recognize on your computer and phone.
  • Keep an eye out for other signs. E.g. your phone battery doesn’t last very long anymore, or your laptop internet connection is slow. Review the Coalition Against Stalkerware’s full of list of indicators.
  • Don’t delete suspicious apps immediately — you may need to keep them as evidence. Plus, deletion may also cause the situation with your partner to escalate.

If you’re pretty sure they’re spying on you and you’re scared:

  • Seek help. You should not go through this alone:
    • Find a public or friend’s computer/phone to contact the organizations in this global resource list compiled by the Coalition Against Stalkerware. Some of them can even help you collect evidence and remove stalkerware safely.
    • Reach out to a trusted friend (through a public device/line) and ask them to hold space for your situation and be your sounding board on analyzing how bad the situation is.
  • Keep digital and printed records of relevant texts, emails, calls, etc. See the NNEDV’s guide on documenting/saving evidence.
  • When you no longer need evidence anymore, remove the suspicous apps/stalkerware yourself either by deleting them one by one, or by performing a full factory reset on your computer/phone. (Buying brand new device is even safer of course.) Remember to reinstall apps and import data manually, lest you restore a backup with stalkerware in it.

For more information

bust_in_silhouette I don’t want to give out my real phone number for online dating/networking/organizing

For messaging apps that use phone numbers as the primary identifier/username (e.g. Signal, WhatsApp, Telegram), get a secondary number from:

  • Twilio (1 USD/month, but complicated setup – see the Twilio section here and this guide)
  • Google Voice (free but only available in the US)
  • Burner or Hushed (5 and 4 USD/month respectively + other prepaid plans for short-term use, US/Canada numbers)
  • A phone company: get a prepaid or cheap SIM card plan (rates vary)

For sites and services that use email as the primary identifier/username, get a separate, new email address.

Keep in mind:

  • If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.
  • Courts can still compel companies to hand over your information in most cases.

For true anonymity – create an untraceable online persona under a pseudonymn

zipper_mouth_face Traveling to a place with weak data protection laws or internet censorship

  • Be aware that the phone companies there might share your location data and personal info with others without permission.
  • Setup a VPN beforehand so you can a) access services uninterrupted, and b) to minimize the amount of data collected about you. Avoid VPNs that are free or have opaque ownership. See recommendations from Wirecutter and Freedom of the Press.
  • Consider traveling with a burner phone while leaving your laptop at home. This will be especially useful if you need to install new/untested software for work that might violate data privacy policies.
  • Re-evaluate which online services are safe to use:

persevere I need help now, my systems are under attack!

If you work as part of a civil society group, contact:

If you are being harassed online, contact:

Alternately, hotlines that don’t focus on digital/online safety may still be able to help:

If someone else has taken control of your accounts:

If you’ve been a victim of an online scam, fraud or ransomware:

sweat_dropsquestion Other recommendations

This section is a catch-all for difficult or esoteric practices that do not fall under any of our scenarios above and might not lead to an immediate payoff for the casual user.

Emails

  • Sign up for a Protonmail or Tutanota end-to-end encrypted email account.
  • Use PGP to secure your emails.

File storage & sharing

  • Use an end-to-end encrypted cloud storage service (not Dropbox): Tresorit, SpiderOak.
  • Use encrypted external USB/hard drives from companies like Apricorn.
  • If you want to send a file anonymously, use a special sharing service like OnionShare.
  • Instead of Google Docs or Microsoft Office, use CryptPad or Standard Notes (both are open-source and end-to-end encrypted).

Messaging apps

  • WhatsApp additional settings:
    • To be 100% end-to-end encrypted, turn off chat backups on WhatsApp (Settings → Chats → Chat backup) and delete your previous backups (instructions for iOS, Android).
    • Turn on security notifications on WhatsApp (Settings → Account → Security).
    • Set up a pin number (Settings → Account → Two-Step Verification) and email address (Account → Two-step verification → tap Add Email Address) to prevent your account from being moved without your permission.
  • Telegram:
    • Use only the Secret Chat function for secure chats (note that this means your messages will not show up in your desktop or web app)
    • Only allow your contacts to add / find your account
    • Turn on self-destruct timers for your Secret Chat.
  • Apple Messages:
    • Auto-delete messages after a year: `Settings → Messages → Keep Messages → 1 Year.
  • Check these two lists of secure messaging apps (Secure Messaging Apps Comparison and IntelTechnique’s Messaging) to learn more about security considerations beyond end-to-end encryption and what trade-offs you may be OK with.

Hosting/running a website

Other

  • Buy a YubiKey USB key to use for two-factor authentication. If you work in free speech/press/internet, you may qualify for a free Yubico for Free Speech.
  • Keep less information/data/photos on your devices – you can’t lose what you don’t have.
  • Don’t use smart TVs or smart speakers.
  • Turn suspicious PDFs into safe ones using Dangerzone.
  • Search the web anonymously with DuckDuckGo.
  • Access Facebook with more anonymity and/or bypass internet filtering by using its onion service.
  • If you (or your organization) is really wedded to the Google Suite, consider Google’s Advance Protection program.
  • Put your smart cards/passports/phones in a Faraday bag that blocks signals from going in and out. (See Micah Lee’s guide on them.)
  • Use One Time to send a password-protected, self-destructing message.
  • Use a more secure operating system: Tails (works off of a USB stick) or Qubes OS.
  • For Android users: Download apps using F-Droid, an open-source, security-focused app store.
  • For US residents: Freeze your credit to prevent bad actors from accessing or mis-using your personal information. See IntelTechniques’ Credit Freeze Guide for details.

trophy Oh my, you made it this far.
trophy You are a true champ!

brain Other resources

We consulted many sources and drew upon our own experiences in creating this resource. If you’re not finding quite what you want here, we recommend checking out these other resources:

memo License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

?? Special thanks

Special thanks to the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and to our GitHub contributors.

This article originally appeared on github.com

…Searching Always New Horizons.